add pac
Some checks are pending
Pipelines as Code CI / homelab-ci CI has Started

Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-06-28 17:56:19 -04:00
parent ef827b2c69
commit e507515766
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
43 changed files with 895 additions and 128 deletions

View file

@ -0,0 +1,6 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
data: {}

View file

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- argocd-cm-patch.yaml

View file

@ -3,5 +3,7 @@ kyverno:
replicas: 2
features:
loggingFormat: text
policyExceptions:
enabled: true
telemetry:
enabled: false

View file

@ -17,6 +17,12 @@ spec:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaceSelector:
matchLabels:
policy.home.arpa/allow-any-capabilities: "true"
validate:
message: "All containers must drop ALL Linux capabilities."

View file

@ -23,6 +23,10 @@ spec:
selector:
matchLabels:
security.policy/allow-root: "true"
- resources:
namespaceSelector:
matchLabels:
policy.home.arpa/allow-root: "true"
validate:
message: "Pods must set runAsNonRoot=true."
@ -43,6 +47,10 @@ spec:
selector:
matchLabels:
security.policy/allow-root: "true"
- resources:
namespaceSelector:
matchLabels:
policy.home.arpa/allow-root: "true"
validate:
message: "All containers must set runAsNonRoot=true."

View file

@ -11,6 +11,12 @@ spec:
any:
- resources:
kinds: ["Pod"]
exclude:
any:
- resources:
namespaceSelector:
matchLabels:
policy.home.arpa/allow-hostpath: "true"
validate:
message: "hostPath volumes are not allowed (escape risk)."

View file

@ -23,6 +23,10 @@ spec:
- tekton-pipelines
- key: tekton.dev/task
operator: Exists
- resources:
namespaceSelector:
matchLabels:
policy.home.arpa/allow-latest-tag: "true"
validate:
message: "Using the 'latest' tag or omitting image tags is forbidden. Use a specific version semantic tag."
foreach:

View file

@ -9,7 +9,7 @@ metadata:
policies.kyverno.io/description: >-
Automatically provisions a baseline CiliumNetworkPolicy
with default deny ingress and controlled DNS egress.
argocd.argoproj.io/sync-options: Force=true,Replace=true
argocd.argoproj.io/sync-options: Replace=true
spec:
background: true
@ -55,6 +55,8 @@ spec:
metadata:
labels:
security-tier: baseline
annotations:
argocd.argoproj.io/sync-options: Prune=false
spec:
endpointSelector: {}

View file

@ -0,0 +1,21 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: audit-network-connections
annotations:
security-tier: audit-baseline
description: "Logs outound TCP connections at the kernel level."
spec:
kprobes:
- call: "tcp_connect"
syscall: false
args:
- index: 0
type: "sock"
selectors:
- matchArgs:
- index: 0
operator: "NotDAddr"
values:
- "127.0.0.1"
- "::1"

View file

@ -0,0 +1,23 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: audit-process-execution
annotations:
security-tier: audit-baseline
description: "Logs all process executions (sys_execve) for cluster-wide visibility."
spec:
kprobes:
- call: "sys_execve"
syscall: true
args:
- index: 0
type: "string"
- index: 1
type: "string_array"
selectors:
- matchPIDs:
- operator: NotIn
followForks: true
isNamespacePID: true
values:
- 1

View file

@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- audit-process-execution.yaml
- audit-network-connections.yaml
commonAnnotations:
argocd.argoproj.io/sync-wave: "1"

View file

@ -2,11 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- tracingpolicy-shell-spawn.yaml
- tracingpolicy-network-connections.yaml
- tracingpolicy-sensitive-binaries.yaml
- tracingpolicy-privilege-escalation.yaml
- tracingpolicy-sensitive-file-access.yaml
- 10-audit-baseline
# - 20-enforce-execution
# - 30-enforce-fim
# - 40-enforce-network
# - 50-enforce-privilege
commonLabels:
app.kubernetes.io/part-of: tetragon-policies

View file

@ -1,8 +0,0 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-network-connections
spec:
tracepoints:
- subsystem: tcp
event: tcp_connect

View file

@ -1,9 +0,0 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-privilege-escalation
spec:
kprobes:
- call: "commit_creds"
syscall: false
return: true

View file

@ -1,29 +0,0 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-sensitive-binary-execution
spec:
kprobes:
- call: "security_bprm_check"
syscall: false
selectors:
- matchBinaries:
- operator: In
values:
- /usr/bin/curl
- /usr/bin/wget
- /usr/bin/nc
- /usr/bin/netcat
- /usr/bin/nmap
- /usr/bin/socat
- /usr/bin/ssh
- /usr/sbin/iptables
- /usr/bin/apt
- /usr/bin/apt-get
args:
- index: 0
type: string
return: true

View file

@ -1,25 +0,0 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-sensitive-file-access
spec:
kprobes:
- call: "security_file_open"
syscall: false
selectors:
- matchArgs:
- index: 0
operator: Prefix
values:
- /etc/shadow
- /etc/passwd
- /root
- /proc/kcore
- /var/run/secrets/kubernetes.io
args:
- index: 0
type: string
return: true

View file

@ -1,24 +0,0 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-shell-spawn
spec:
kprobes:
- call: "security_bprm_check"
syscall: false
selectors:
- matchBinaries:
- operator: In
values:
- /bin/sh
- /bin/bash
- /bin/dash
- /bin/ash
- /busybox/sh
args:
- index: 0
type: string
return: true